I want to push a firebase project to an open source github repo. However, I want to secure it, I want to hide the path to database so that no one can read or write to it.
Is there a certain file in my project I shouldn't include in the repo?
Thanks in advance
You should avoid including the google-services.json file.
If you want to conceal the details of your project, don't check in google-services.json, which is the general advice for open source Android projects that use Firebase.
If you publish a version of your app to the Play store, it can be decompiled, and the contents of your google-services.json effectively become public. So, if you are concerned about security, you should mostly pay attention to your app's security rules to make sure that random people cannot read and write data that they shouldn't.
Related
They have sent me a finished .APK . What other files do I need to request so that somebody else can develop it further in future?
Depending on your contract with the developer, you could also need the source code of the application.
If you ever want to switch to another company or developer, in order for them to continue where the others left, they will need the source code of your app. Without the source code, you cannot make any changes to app and publish new versions of it to the Play Store.
For completeness, mentioning what people said in the comments:
the build files of your project (e.g. Gradle configs)
the signing key used to publish the app on the Play Store
HTH
I made my first app, it's a simple to-do list app.
Link:
https://play.google.com/store/apps/details?id=dev.arjun.todolist
The problem is that the app I created is a very simple and basic app and I want to build on it to give extra features to it but I don't know how.
It would be helpful if you could point me in the right direction, any articles or guides will be very much appreciated.
simply make changes to the project i.e add new features etc.
go to build.gradle file and update version code and version name
generate the signed apk with the same keystore that you used
previously for this app.
finaly go google play console and update the apk and you are done.
hope this will help you in someway.
tl;dr: I'm wondering if there's anyway for me to ensure that the source code I (re)viewed on GitHub for an open-source project was actually used to build the APK I'm downloading from Google Play?
Let's say I want to find an app for encrypting files on my local Android device. There are several apps available when googling, many open-source. As I'm going to encrypt sensitive information, I'd like to ensure it's done correctly (and without bad intent), so I review the source code for the app. All looks okay, so I download the app from Google Play and start using it.
If the developer of the app wanted to, they could just offline modify the source code (in a "private build step", so to say), and inject whatever they want (send the unencrypted file content somewhere, fake-encrypt the files, whatever), build the APK and upload that APK to Google Play instead.
Is there anyway to verify the APK actually came from the source code?
I am new to Parse SDK. Is it safe to use Application ID and Client Key within the app? as reverse engineering the APK file might reveal the keys. Is there any other workaround to pull them in the Parse.initialize() function.
Like everything else contained in your APK it is only safe if you obfuscate your code. Make sure that you are using ProGaurd when you build your application and have configured it for gradle if you use Android Studio.
If you use ProGuard to obfuscate your code then you wont have to worry about people being able to unpack your APK and retrieve your Parse credentials.
If you want to test that your ProGaurd configuration is correct you can try and unpack your own APK to make sure everything is obfuscated and hidden as expected. This question will show you the process.
This is something that I have always asked myself. In addition to this you could also use a random keygen to connect to random parse database if you were trying to hack data. I tried to find the SO.com post about this but was unable to do so, regardless, I saw someone post that they had their key strings stored in AWS so that they werent in the APK package. In my opinion you shouldn't have to do this but whatever... Parse is pretty sweet when you cut back on development time and their online data portal is nice as well.
I need to protect my application against copy protection. I saw some apps in market that are unable to extract using any backup applications in my android device.
How can I make my application too against copy?
What you're talking about is currently being deprecated as a way of copy-protecting your app. It's an option you can choose before publishing your app in the Developer's console. A much better and safer approach is to use The License Verification Library.
There is a check box you tick when you are publishing your app. I'm pretty sure that it's near the end of the page, after the payment details section.